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A method of securely implementing a cryptography 
algorithm of the RSA type, and a corresponding 
component 

The present invention relates to a method of 
5 securely implementing a cryptography algorithm in an 
electronic component, and more particularly to a method 
of securely implementing a cryptography algorithm of 
the Rivest-Shamir-Adleman (RSA) type. - 

The invention also relates to the corresponding 
10 electronic component. 

Such components are, in particular used in 
applications in which access to services or to data is 
stringently controlled. 

They have a "software" architecture, i.e. a 
15 programmable architecture, formed around a 
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microprocessor and around memories, including a non- 
volatile memory of the Electrically Erasable 
Programmable Read-Only Memory (EEPROM) type which 
contains one or more secret numbers. The architecture 
5 is a non-specialist architecture suitable for executing 
any algorithm. 

Such components are used in computer systems, on- 
board or otherwise. They are used, in particular, in 
smart cards, for certain applications thereof. For 

10 example, such uses are applications for access to 
certain databanks, banking applications, remote payment 
applications, e.g. for television purchases, for 
gasoline purchases, or for payment of highway tolls. 

Such components or cards thus implement a 

15 cryptography algorithm for encrypting transmitted data 
and/or for decrypting received data, or for 
authenticating or digitally signing a message. 

On the basis of such a message applied as input 
into the card by a host system (server, automatic 

20 teller machine, etc.) and on the basis of secret 
numbers contained in the card, the card returns the 
message as encrypted, authenticated, or signed to the 
host system, thereby enabling the host system to 
authenticate the component or the card, and to exchange 

25 data, etc. 

The characteristics of the cryptography algorithm 
can be known: computations performed; parameters used. 
The only unknown quantity is the secret number (s). The 
entire security of such cryptography algorithms relies 

30 on that/those secret number (s) contained in the card 



and unknown to the world outside the card. The secret 
number (s) cannot be deduced merely by knowledge of the 
message applied as input and of the encrypted message 
delivered in return. 

Unfortunately, it has appeared that external 
attacks based on physical magnitudes measurable from 
the outside of the component while said component is 
running the cryptography algorithm make it possible for 
ill-intentioned people to find the secret number (s) 
contained in the card. Such attacks are known as u side 
channel attacks". Among such side channel attacks, 
there are Single Power Analysis (SPA) attacks based on 
one measurement or a few measurements, and Differential 
Power Analysis (DPA) attacks based on statistical 
analyses resulting from many measurements. The 
principle of such side channel attacks is based, for 
example, on the fact that the current consumption of 
the microprocessor executing instructions varies as a 
function of the instruction or of the data being 
handled. 

There also exists a type of attack known as a 
"fault attack" . In that type of attack, the attacker 
injects any fault while the cryptography algorithm is 
being computed, with the aim of using the presence of 
the fault to extract secret information. 

The fault can also come from a computation error 
due to the hardware implementing the cryptography 
algorithm. However, in both cases, it is considered 
that a fault attack has occurred. 
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The various types of attack are possible in 
particular with public-key cryptography algorithms such 
as, for example, the RSA algorithm (named after its 
authors Rivest, Shamir, and Adleman) which is the 
5 algorithm that is in most widespread use in this field 
of application, and to which the present invention is 
more particularly applicable. 

The main characteristics of the RSA public-key 
cryptographic system are recalled briefly below. 
10 The first public-key encryption and signature 

scheme was developed in 197 7 by Rives t, Shamir, and 
Adleman, who invented the RSA cryptographic system. 
The security of RSA is based on the difficulty of 
factoring a large number that is the product of two 
15 prime numbers. That system is the most widely used 
public-key cryptographic system. It can be used as an 
encryption method or as a signature method. 

The principle of the RSA cryptographic system is 
as follows. It consists firstly in generating the pair 
2 0 of RSA keys. 

Thus, each user creates an RSA public key and a 
corresponding private key, using the following 5 -step 
method: 

1) Generate two distinct prime numbers p and q; 
25 2) Compute n=pq and O (n) = (p-1) (q-1) , where O is 

called the Euler totient function or the Euler phi- 
function; 

3) Select an integer e, l<e<0(n), such that 
pgcd (e, <J> (n) ) =1 , randomly or on the choice of the user 
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who could thus choose e to be small such that e = 2 16 +1 
or e = 3 or e = 17; 

4) Compute the unique integer d, l<d<0(n), such 
that: e.d=l modulo O(n); (1) 
5 5) The public key is (n,e); the private key is d 

or (d,p,q) . 

The integers e and d are called respectively the 
"public exponent" and the "private exponent" . The 
integer n is called the U RSA modulus" . 
10 Once the public and private parameters are 

defined, given x # with 0<x<n, the public operation on x 
which can, for example, be the encryption of the 
message x, consists in computing: y = x e modulo n (2) 

In which case, the corresponding private 
15 operation is the operation of decrypting the encrypted 
message y, and consists in computing: 

Y d modulo n (3) 

The public operation on x can also be 
verification of the signature x, and then consist in 
2 0 computing: y = x e modulo n (2) 

The corresponding private operation is then 
generation of a signature x on the basis of the 
previously encoded message y by applying a hash 
function or "padding" function /x, and consists in 

2 5 computing: 

Y d modulo n (3) 
Where x = y d modulo n since e.d = 1 modulo O (n) 
Another mode of operation known as the Chinese 
Remainder Theorem (CRT) mode is presented below. It is 

3 0 four times faster than the mode of operation of the 
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standard RSA algorithm. In the CRT mode, the modulo n 
computations are not performed directly, but rather the 
modulo p and modulo q computations are performed first. 

The public parameters are (n, e) but, in the CRT 
5 mode, the private parameters are (p, q, d) or (p, q, d p/ 
d q , i q ) , where 

dp = d modulo(p-l), d q = d modulo(q-l) 

and i q = q" 1 modulo p 

By relationship (1) , the following are obtained: 
10 ed p = 1 modulo (p-1) and ed q = 1 modulo (q-1) (4) 

The public operation is performed in the same 
manner as for the standard operating mode. In 
contrast, for the private operation, the following are 
computed first: 
15 x p = y dp modulo p and Xq= y dq modulo q 

Then, by applying the Chinese Remainder Theorem, 
x = y d modulo n is obtained by: 

X = CRT(x p , Xq) = X q 4- q [ i q (x p -Xq) modulo p] (5) 

An important aspect of the field of public-key 
2 0 cryptography using the RSA encryption scheme thus 
consists in making implementation of the RSA algorithms 
secure against the various possible types of attack 
mentioned above, in particular side channel attacks 
such as DPA and SPA attacks, as well as "fault" attacks 
25 in which the attacker, by using any method, injects a 
fault during the computation of a private operation of 
the RSA algorithm with the aim of obtaining a corrupted 
value from which it is possible, in certain cases, to 
deduce certain items of secret data. 
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In the state of the art, certain countermeasure 
methods have been devised for parrying the various 
types of attack. 

In particular, one possible countermeasure for 
5 parrying DPA (and SPA) type attacks against RSA in 
standard mode consists in making the private operation 
(signature or decryption) of the RSA random by 
inserting a random value into the computation. 

Thus, one countermeasure method of that type 
10 consists in computing the private operation in standard 
mode (3) x = y d modulo n in the following manner: 

x = y d_r .y r modulo n, where r is a random integer. 
However the drawback with that countermeasure method is 
that the computing time is doubled. 
15 Another countermeasure method of that type for 

parrying DPA (and SPA) attacks against RSA in standard 
mode consists in computing the private operation 
(3) x = y d modulo n in the following manner: 

x = y< d+r -°< n >) modulo n, where r is a random 
2 0 integer. However the drawback with that countermeasure 
method is that it requires knowledge of the value of 
O(n), which is generally unknown to the cryptography 
algorithm that implements the private operation 
(signature or decryption) . 
2 5 A variant of that method has therefore been 

proposed, based not only on the knowledge of the value 
of O(n), but also on the knowledge of the public 
exponent e. (1) gives us: e.d=l modulo O(n) and so an 
integer k exists such that: e.d-1 = k. O(n) . 



8 

Therefore, the expression x = y<d+r.O(n)) mo d u ]_ 0 n 
can be computed in the following form: 

x = y(d+r. (ed-D) mo dulo n, where r is a random 
integer . 

5 That countermeasure method is thus 

computationally equivalent to the method from which it 
follows, but it offers the advantage of not requiring 
knowledge of the value of O(n). It requires less 
memory in the sense that it does not require O(n) to be 
10 kept. 

However, in order to be implemented, that variant 
countermeasure requires knowledge of the value of the 
public exponent e. Unfortunately, in many cryptography 
applications, the component or the device implementing 

15 the private operation of the RSA algorithm does not 
always have the public exponent e, in particular when 
it executes the private operation only. Therefore, in 
that context, the public exponent e is generally 
unknown or unavailable. 

2 0 The above-described countermeasures are mainly 

intended for parrying attacks of the DPA type. 
However, they also make SPA-type attacks more difficult 
insofar as the execution of the algorithm is non- 
deterministic . 

2 5 As regards the other above-mentioned type of 

attack, namely the "fault" attack, the best possible 
protection for parrying it consists in testing, in 
standard mode, whether the value x obtained by applying 
the private operation does indeed satisfy the 

3 0 relationship x e = y modulo n of the public operation. 
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If it does not, the value y is not returned, so as to 
prevent it from being used for cryptanalysis purposes. 

In CRT mode, the protection consists in checking 
firstly whether the relationships x e = y modulo p and 
5 x e = y modulo q are indeed satisfied. 

When those relationships are satisfied, it is 
possible to be certain that no errors have occurred 
during the running of the private operation of the RSA 
algorithm. 

10 However, a drawback preventing implementation of 

such checking against fault attacks in standard mode or 
in CRT mode is that those checking operations also 
require prior knowledge of the public exponent e. 
Unfortunately, as explained above, the component or the 

15 device implementing the private operation of the RSA 
algorithm in standard mode or in CRT mode does not 
always have the public exponent e, in particular when 
it executes the private operation only. In that 

context, the public exponent e is therefore generally 

20 unknown or unavailable. 

To that end, Patent Document FR 2 830 146 (Dl) 
proposes a method making it possible to perform certain 
steps of a cryptography algorithm, in particular of the 
RSA type in standard mode or in CRT mode, using a 

25 public exponent e that is not known a priori. 

The method disclosed in Dl makes it possible, in 
particular, to provide a countermeasure , especially 
against fault attacks, that offers the best possible 
protection as mentioned above, even when the public 

3 0 exponent e is not known. 
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For that purpose, let (e, d) be a corresponding 
pair of RSA exponents that are respectively public and 
private, and let n be the RSA modulus. Dl starts from 
the following observation that, in 95% of cases, the 
5 value of the public exponent e is chosen from among the 
values 2 16 + 1, 3, 17. The method of Dl , explained 
briefly herein with reference to the standard mode but 
that can equally well be applied to the CRT mode, then 
consists in checking that e is indeed equal to one of 

10 said values by successively testing whether ei.d = 1 
modulo O(n), where e± O E = {2 16 +1, 3, 17}, until the 
relationship is satisfied. 

When the relationship is satisfied for one ei, 
then it is known that e=ei. Once the value of the 

15 public exponent e has been determined in this way, e is 
stored with a view to being used in computations of the 
RSA algorithm aiming to check that no errors have 
occurred due to a fault attack during the running of a 
corresponding private operation of the RSA algorithm. 

2 0 Thus, knowing e, it is possible to assert with a 
probability equal to 1 that the private operation 
relating, for example, to generating a signature s, 
where s = /z(m) d modulo n, where fi im) is the value 
obtained by applying a padding function fi to the 

2 5 message m to be signed, has been performed without 

error merely by checking that the value s obtained 
satisfies the relationship s e = /i (m) modulo n of the 
corresponding public operation. 

If it has not been possible to attribute any 

3 0 value of ei to e, it then necessary, in Dl, to note that 
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the computations of the RSA algorithm using the value e 
for securing against fault attacks cannot be performed. 

However, a drawback with the method proposed by 
Dl is that it requires a plurality of modular 
5 computations to be performed when successive testing is 
done to determine whether the relationship eid = 1 
modulo O(n) is satisfied, for a value e A from among the 
ei values envisaged. That method is thus prohibitive in 
terms of computation time and of computation resources. 
10 Thus, the problem that arises is to mitigate the 

above-mentioned drawbacks. 

More particularly, an object of the present 
invention consists in determining, in a manner that is 
not prohibitive in terms of computation speed and 
15 complexity, the value of a public exponent e from among 
a set of predetermined probable values, when said value 
of e is known a priori, the exponent e being 
implemented in certain steps of an RSA-type 
cryptography algorithm in standard mode or in CRT mode. 

2 0 Another object therefore consists in making it 

possible, once the value of the public exponent e has 
been determined, to implement countermeasure operations 
using the value of the public exponent e, aimed at 
parrying firstly "fault attacks' 7 and secondly "side 
25 channel attacks", in particular of the DPA and SPA 
types, that might be made during implementation of a 
private operation of a cryptography algorithm, in 
particular an algorithm of the RSA type. 

With a view to achieving these objects, the 

3 0 invention provides a method of securely implementing a 
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public-key cryptography algorithm, the public key being 
composed of an integer n that is a product of two large 
prime numbers p and q, and of a public exponent e, said 
method consisting in determining a set E comprising a 
predetermined number of values ei that can correspond to 
the value of the public exponent e, the ei values being 
prime numbers, said method being characterized in that 
it comprises the following steps consisting in: 



such that O/ei is less than O(n) for any ei 
belonging to E, where <D is the Euler totient function; 

b) applying the value O to a predetermined 
computation; 

c) for each ei, testing whether the result of said 
predetermined computation is equal to a value O/ei: 

- if so, then attributing the value ei to e, and 
storing e with a view to it being used in computations 
of said cryptography algorithm; 

- otherwise, observing that the computations of 
the cryptography algorithm using the value e cannot be 
performed . 

The advantage is thus clearly that there is only 
one modular multiplication. 

In a first variant, the cryptography algorithm is 
based on an RSA-type algorithm in standard mode. 

With reference to said first variant, the 
predetermined computation of step b) consists in 
computing a value C: 



a) computing a value O = 




ei 



ei € E 
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C = O.d modulo O(n) , where d is the corresponding 
private key of the RSA algorithm such that e.d = 1 
modulo O(n) and O is the Euler totient function. 

In an alternative, the predetermined computation 
of step b) consists in computing a value C: 

C = O.d modulo O(n) , where d is the corresponding 
private key of the RSA algorithm such that e.d = 1 
modulo O(n), with O being the Carmichael function. 

In a second variant, the cryptography algorithm 
is based on an RSA- type algorithm in CRT mode. 

With reference to said second variant, the 
predetermined computation of step b) consists in 
computing a value C: 

C = O.dp modulo (p-1) , where d p is the 
corresponding private key of the RSA algorithm such 
that e.dp = 1 modulo (p-1) . 

In an alternative, the predetermined computation 
of step b) consists in computing a value C: 

C = <D.d q modulo (q-1) , where d q is the 
corresponding private key of the RSA algorithm such 
that e.d q = 1 modulo (q-1) . 

In another alternative, the predetermined 
computation of step b) consists in computing two values 
Ci and C 2 such that : 

Ci = O.dp modulo (p-1), where d p is the 
corresponding private key of the RSA algorithm such 
that e.d p = 1 modulo (p-1); 
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C 2 = 0.d q modulo (q-1) , where d q is the 
corresponding private key of the RSA algorithm such 
that e.d q = 1 modulo (q-1) ; 

and in that the test step c) consists, for each 
5 ei, in testing whether Ci and/or C 2 is equal to the 
value O/ei: 

- if so, then attributing the value ei to e and 
storing e with a view to it being used in computations 
of said cryptography algorithm; 
10 - otherwise, observing that the computations of 

said cryptography algorithm using the value e cannot be 
performed . 

In the first variant, and when a value ei has been 
attributed to e, the computations using the value e 
15 consist in: 

choosing a random integer r; 

computing a value d* such that d* = d+r. (e.d-1) ; 

and 

implementing a private operation of the algorithm 
20 in which a value x is obtained from a value y by 
applying the relationship x = y d * modulo n. 

In the first variant, and when a value ei has been 
attributed to e, the computations using the value e 
consist, after a private operation of the algorithm, in 

2 5 obtaining a value x from a value y and in checking 

whether x e = y modulo n. 

In the second variant and when a value ei has been 
attributed to e, the computations using the value e 
consist, after a private operation of the algorithm, in 

3 0 obtaining a value x from a value y and in checking 



firstly whether x e = y modulo p and secondly whether x e 
= y modulo q. 

Preferably, the set E comprises at least the 
following ei values: 3, 17, 2 16 + 1. 

The invention also provides an electronic 
component characterized in that it comprises means for 
implementing the method as defined above. 

The invention also comprises a smart card 
including an electronic component as defined. 

The invention also provides a method of securely 
implementing a public-key cryptography algorithm, the 
public key being composed of an integer n that is a 
product of two large prime numbers p and q, and of a 
public exponent e, said method consisting in 
determining a set E comprising a predetermined number 
of values e± that can correspond to the value of the 
public exponent e, the ei values being prime members, 
said method being characterized in that it comprises 
the following steps consisting in: 

a) choosing a value e± from the values of the set 

E; 

b) if <D(p) =<D(q) , testing whether the chosen ei 
value satisfies the relationship: 

(1-ei.d) modulo n < ei . 2 ( ° (n)/2)+1 
or said relationship as simplified: 
(-ei.d)modulo n < e ± . 2 {<t>(n)/2)+1 

where <P (p) , <D(q), and <D(n) are the functions 
giving the numbers of bits respectively encoding the 
number p, the number q, and the number n; 
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otherwise, when p and q are unbalanced, testing 
whether the chosen e± value satisfies the following 
relationship : 

(1-ei.d) modulo n < ei.2 9+1 
5 or said relationship as simplified: 

(-ei.d) modulo n < ei . 2 9+1 

with g=max (<D (p) , <D (q) ) , if <D(p) and O(q) are 
known, or, otherwise, with g=0(n)/2+t, where t 
designates the imbalance factor or a limit on that 
10 factor; 

c) if the test relationship applied in the 
preceding step is satisfied and so e = ei, storing e 
with a view to using it in computations of said 
cryptography algorithm; 

15 - otherwise, reiterating the preceding steps 

while choosing another value for ei from the set E until 
an en value can be attributed to e and, if no s± value 
can be attributed to e, then observing that the 
computations of said cryptography algorithm using the 

2 0 value of e cannot be performed. 

The fact that the order of the ei values is chosen 
as the order of the probabilities of the public 
exponents appearing makes it possible to save time. 
Thus, it is possible preferably to choose the following 

25 order: e 0 =2 16 + l, e x =3 , e 2 = 17. 

In a variant, for all values of i, ei<2 16 +l, and 
the step b) is replaced by another test step consisting 
in: 

if 0(p)=0(q), testing whether the chosen e± value 
30 satisfies the relationship: 
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(1-ei.d) modulo n < ei . 2 <cD(n)/2,+17 
or said relationship as simplified: 
<-e±.d> modulo n < ei . 2 ( ° (n)/2)+17 

where <D(p), O(q), and <D(n) are the functions 
giving the numbers of bits respectively encoding the 
number p, the number q, and the number n; 

otherwise, when p and q are unbalanced, testing 
whether the chosen ei value satisfies the following 
relationship : 

(1-ei.d) modulo n < ei.2 9+17 

or said relationship as simplified: 

(-ei.d) modulo n < ei.2 9+17 

with g=max (<D (p) , <D (q) ) , if <D(p) and O(q) are 
known, or, otherwise, with g=0 (n) /2+t , where t 
designates the imbalance factor or a limit on that 
factor . 

In another variant, step b) is replaced with 
another test step consisting in: 

testing whether the chosen e± value satisfies the 
relationship whereby: 

the first most significant bits of (1-ei.d) modulo 
n are zero; 

or said relationship as simplified whereby: 

the first most significant bits of (-ei-d) modulo 
n are zero. 

Preferably, the test is performed on the first 
128 most significant bits. 
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In a preferred embodiment of the invention, the 
cryptography algorithm is based on an RSA-type 
algorithm in standard mode. 

According to one characteristic, when an e± value 
5 has been attributed to e, the computations using the 
value e consist in : 

- choosing a random integer r; 

- computing a value d* such that d* = d+r.(e.d- 

1) ; 

10 implementing a private operation of the 

algorithm in which a value x is obtained from a value y 
by applying the relationship x = y d * modulo n. 

According to another characteristic, when an ei 
value has been attributed to e, the method of the 
15 invention consists, after a private operation of the 
algorithm, in obtaining a value x from a value y and 
the computations using the value e consist in checking 
whether x e = y modulo n. 

Preferably, the set E comprises at least the 
20 following e± values: 3, 17, 2 16 + 1. 

The invention also provides an electronic 
component characterized in that it comprises means for 
implementing the method as defined above. 

The invention also provides a smart card 
25 including an electronic component as defined. 

Other characteristics and advantages of the 
present invention appear more clearly from the 
following description given by way of non-limiting 
indication. 
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The present invention thus describes various 
techniques making it possible to validate the value of 
a public exponent e that is not known a priori. These 
techniques can be implemented by any electronic 
5 component or device equipped with suitable 
cryptographic computation means, and in particular by a 
smart card. 

The invention is based on the following 
observation: let a set E comprise at least the 

10 following values of e : e 0 = 2 16 + 1; ei = 3; and e 2 = 17; 

this set E of values covers about 95% of the values of 
the public exponents commonly used in the computations 
of cryptography algorithms of the RSA type. 

The first technique proposed by the present 

15 invention, valid for the standard mode of the RSA 
algorithm, then consists in general in choosing e 0 and 
in checking whether e=e 0 ; if e*e 0 , then an attempt is 
made with ei; and if e^e X/ then and attempt is made with 
e 2 . 

20 It is possible that, for a certain application 

corresponding to the 5% of other cases, e is equal 
neither to e 0/ nor to e lf nor to e 2 . The value of e is 
thus more generally designated by e± . And the method 
consists finally in choosing a value e± from among the 

25 e± values envisaged and in checking whether e = ei. 

More particularly, the first technique for 
finding the value of e, valid for the standard mode of 
the RSA algorithm, is based on the following reasoning: 
In the standard mode, the private algorithm 

3 0 (implementing an operation for signing or for 
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decrypting a message) has the value of the modulus n 
and of the private exponent d. 

Thus, from the expression (1) , it follows that 
there exists an integer k such that : 
5 e.d = 1 + k <D(n) 

i.e. 1-e.d = -k O(n) = -k. (n-p-q+1) 

By reducing both sides of the expression modulo 
n, the following is obtained: 

1-e.d = k(p+q-l) (modulo n) 
10 By noting that k<e is always obtained when e is 

relatively small, the preceding expression can also be 
written : 

(1-e.d) modulo n = k(p+q-l) (6) 
The left side of equation (6) has substantially 
15 the same size as the modulus n, while the right side 
has its size defined according to the following 
expression when p and q are balanced, i.e. of the same 
size O (p) = O (q) : 

k. (p+q-l)<e.2 ( ° (n)/2)+1 
20 where O (n) , <D(p), O(q) are the functions giving 

the numbers of bits encoding respectively the number n, 
the number p, and the number q. 

When p and q are not of the same size, the 
function g=max (<t> (p) , O (q) ) , i.e. the function giving 
2 5 the maximum of the lengths of p and q is called when 
<D(p) and O(q) are known; otherwise, g=0(n)/2+t is 
taken, where t designates the imbalance factor or, 
otherwise, a limit on that factor. When p and q are 
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unbalanced, the formula of the above expression 
becomes : 

k. (p+q-1) <e.2 1+g 

Since n = p.q, if p and q are balanced, then the 
5 expression p+q<2 (0<n)/2)+1 is obtained; conversely, if p 
and q are unbalanced, then: p+q<2 1+9 

Thus, for all possible ei values in the set E, if 
0(p)= O(q), a test is conducted to determine whether 
the chosen e± value satisfies the following 
10 predetermined relationship: 

(1-ei.d) modulo n < e ± . 2 ( ° (n)/2)+1 (7) 
otherwise a test is conducted to determine 
whether the chosen ei value satisfies the following 
predetermined relationship : 
15 (1-ei-d) modulo n < ei.2 9+1 (7') 

if the predetermined test relationship applied is 
satisfied, then e=ei and e is stored; 

otherwise, another value is chosen for ei from the 
set E and the preceding steps are reiterated. 
20 In a first variant, the test for finding the 

value of e: 

(1-ei.d) modulo n < e± . 2 ( ° (n) /2) +1 or 

(1-ei . d) modulo n<ei.2 9+1 , depending on whether or 
not p and q are balanced, can be replaced with the 
25 following test: 

(1-ei.d) modulo n < B; 

where B > [maxfej] 22 ( ° (n) /2) +1 when 0(p)=0(q); 
and B > [max(ei)] 2 9+1 otherwise. 
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In our example, E={2 16 + 1, 3, 17}. Thus, for all 
values of i, ei^2 16 +l and the preceding test can thus be 
simplified in the following manner consisting in 
checking whether: 
5 (1-ei.d) modulo n < B, where B =2 ( ° (n)/2)+17 when 

<D(p) = O(q) ; 

and (1-ei.d) modulo n < B, where B=2 9+17 otherwise. 

In a second variant of the test, it is possible 
to simplify the preceding test further by checking 
10 whether the most significant bits, e.g. the 128 most 
significant bits, of (1-ei.d) modulo n are zero. 

Finally, for the first technique, a final 
simplification consists in determining the 

predetermined relationship for the test on the values 
15 of ei, starting with the following relationship: 

(-e.d) modulo n = k(p+q-l)-l 

in place of relationship (6) . 

Thus, from this simplification, the following 
simplification is obtained for test relationships (7, 
20 7' ) : 

(-ei.d) modulo n < e ± 2 {Q>(n) /2) +1 if 0> (p) =<p (q) ; 
and (-ei.d) modulo n e± . 2 9+1 otherwise. 
For the first variant, the following simplified 
test is obtained: 

25 (-e ± .d) modulo n < B, where B = 2 (CD(n)/2)+17 if O(p) = 
<D(q) and B=2 9+17 otherwise. 

And, for the second variant of the test, the 

following simplified test is obtained consisting in 
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checking whether the first most significant bits of 
(-ei-d) modulo n are zero. 

Regardless of the variant implemented, whether or 
not it is in its simplified version, if the test is not 
5 satisfied for a value of e±, another value is chosen for 
ei from the set E until a match is found. 

If, for either of the variants concerning the 
first technique described above, there does not exist 
among the e± values a value such that e=ei, then it 
10 remains to observe that computations of the RSA 
cryptography algorithm in standard mode that involve e 
cannot be performed . 

Conversely, when the value of e has been found 
among the values ei of the set of predetermined values 
15 E, by either of the variants, it is then possible to 
check each private operation (3) of the cryptography 
algorithm (consisting in decrypting a message or in 
generating a signature) by making sure that the value x 
obtained on the basis of a value y by applying the 
20 private operation satisfies the relationship x e = y 
modulo n. Otherwise, the decrypted message or the 
signature is not returned so as to avoid any 
cryptanalysis . 

As explained above, once e is known, the method 

2 5 of the invention can also apply to a countermeasure , in 

particular against DPA (and SPA) type attacks, as 
described above. Such a method thus consists in: 
choosing a random integer r; computing a value d* such 
that d* = d+r. (e.d-1); and implementing a private 

3 0 operation of the algorithm in which a value x is 
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obtained from a value y by applying the relationship x 
= yd* modulo n. 

Finally, the present invention relates to a 
second technique for finding the value of the exponent 
e from a set E comprising a set of predetermined values 
ei. As explained below, this technique is applicable 
both for the standard mode of the RSA algorithm and for 
the CRT mode . 

Said technique consists more particularly in 
improving the method proposed in Dl . Thus, the 

following steps are implemented: 



such that O/ei is less than O(n) for any e± 
belonging to E, where O is the Euler totient function; 

b) apply the value O to a predetermined 
computation; 

c) for each e i# test whether the result of said 
predetermined computation is equal to a value O/ej.: 

- if so, then attribute the value ei to e, and 
store e with a view to it being used in computations of 
the cryptography algorithm; 

- otherwise, observe that the computations of the 
cryptography algorithm using the value e cannot be 
performed . 

In standard mode, the predetermined computation 
of step b) consists in computing a value C such that: 
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C = <P.d modulo O(n) , where d is the corresponding 
private key of the RSA algorithm in standard mode such 
that e.d = 1 modulo O(n) . 

For example, let the set E = {e 0 =3, ei=17, 
5 e 2 =2 16 + l}, then O = e 0 - e x . e 2 - 3 . 17 . (2 16 +1) . 

Thus, with C = O.d modulo O(n) : 

If C = 17. ( 2 16 +1) = <D/e 0 then e = e 0 = 3 ; 

If C = 3. ( 2 16 + 1) = O/ei then e = e 1 = 17; 

If C = 3.17 = <D/e 2 then e = e 2 = (2 16 +1) ; 
10 By means of a single modular computation making 

it possible to obtain the value of C, it is thus 
possible to find the value of the exponent e from a set 
E, as a function of the results of said computation. 

In an alternative, the predetermined computation 
15 of step b) consists in computing a value C such that: 

C = O.d modulo O(n) , where d is the corresponding 
private key of the RSA algorithm in standard mode but 
computed in said alternative modulo the Carmichael 
function in place of modulo the Euler totient function, 
20 and thus such that: e.d = 1 modulo <P (n) , with O being 
the Carmichael function. 

When the value of e has been found and stored, 
the computations of the cryptography algorithm in 
standard mode implementing the value of e consist in 
25 parrying fault attacks and in putting place a 
countermeasure, in particular against DPA (and SPA) 
type attacks, and they are identical to the 
computations described with reference to the first 
technique . 
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In a variant, when the RSA algorithm implemented 
is in CRT mode, the predetermined computation of step 
b) consists in computing a value C such that: 

C = O.dp modulo (p-1) , where d p is the 
5 corresponding private key of the RSA algorithm such 
that e.dp = 1 modulo (p-1) ; 

or indeed, such that: 

C = 0.d q modulo (q-1) , where d q is the 
corresponding private key of the RSA algorithm such 
10 that e.d q = 1 modulo (q-1) ; 

or indeed both of them, and in taking the e that 
is given by at least one of the two tests. 

When the value of e has indeed been found and 
stored, the computations of the cryptography algorithm 
15 in CRT mode implementing the value of e consist in 
parrying fault attacks . 

It is then possible to check each private 
< operation in CRT mode of the cryptography algorithm 
(consisting in decrypting a message or in generating a 
2 0 signature) by making sure that the value x obtained 
from a value y by application of the private operation 
in CRT mode satisfies firstly the relationship x e = y 
modulo p and secondly the relationship x e = y modulo q. 



